You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Nik Ogura <ni...@gmail.com> on 2010/05/25 16:26:20 UTC
Taint Mode Seems to be Ignored
Hello.
Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.
I've noticed what seems to be a case of Taint mode being ignored with
respect to CGI params when running under mod_perl.
The following:
#!/usr/bin/perl -T
use strict;
use warnings;
$ENV{'PATH'} = "/bin:/usr/bin";
#delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
use CGI;
my $q = CGI->new;
my $foo = $q->param('foo');
open OF, "> /tmp/$foo";
print OF "blah blah blah";
close OF;
print "Content-type: text/html\n\n";
print "Taint: ${^TAINT}<br>";
print "done<br>";
Behaves normally when run without mod_perl, i.e. it tosses 500 errors
and screams bloody murder. However with the following setup: (only
relevant parts shown)
PerlTaintCheck On
PerlWarn On
<VirtualHost *:80>
Alias /cgi-bin/ /usr/lib/cgi-bin/
<Directory /usr/lib/cgi-bin>
Options +ExecCGI -Multiviews
SetHandler perl-script
PerlOptions +ParseHeaders
PerlResponseHandler ModPerl::Registry
</Directory>
</VirtualHost>
The cgi runs without error, opening files under /tmp based on CGI
parameter inputs. The taint mode flag shows that taint mode is enabled,
and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the
same with both PerlTaintCheck On and PerlSwitches -T.
What am I missing? I have production code that is apparently not as
protected as I would like.
Thanks in advance.
--
-Nik
Re: Taint Mode Seems to be Ignored
Posted by Nik Ogura <ni...@gmail.com>.
That sure explains what I'm seeing. I'll have to see if I can break
loose time to dig into the internals. We have too many less
sophisticated developers and cgi scripts running under Registry and
PerlRun to fully convert to Apache2::Request.
Thanks for the solution.
--
-Nik
Re: Taint Mode Seems to be Ignored
Posted by Scott Gifford <sg...@suspectclass.com>.
Last I heard, taint mode in mod_perl didn't always work. See:
http://marc.info/?l=apache-modperl&m=119749949626698&w=2
That was a while back, maybe it's been fixed by now.
-----Scott.
On Tue, May 25, 2010 at 10:26 AM, Nik Ogura <ni...@gmail.com> wrote:
> Hello.
>
> Running Apache 2.2.12, mod_perl 2.0.4, perl 5.10.0, and CGI.pm 3.29.
>
> I've noticed what seems to be a case of Taint mode being ignored with
> respect to CGI params when running under mod_perl.
>
> The following:
>
> #!/usr/bin/perl -T
>
> use strict;
> use warnings;
>
> $ENV{'PATH'} = "/bin:/usr/bin";
> #delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
>
> use CGI;
> my $q = CGI->new;
>
> my $foo = $q->param('foo');
>
> open OF, "> /tmp/$foo";
>
> print OF "blah blah blah";
> close OF;
>
> print "Content-type: text/html\n\n";
>
> print "Taint: ${^TAINT}<br>";
>
> print "done<br>";
>
> Behaves normally when run without mod_perl, i.e. it tosses 500 errors
> and screams bloody murder. However with the following setup: (only
> relevant parts shown)
>
> PerlTaintCheck On
> PerlWarn On
>
> <VirtualHost *:80>
> Alias /cgi-bin/ /usr/lib/cgi-bin/
>
> <Directory /usr/lib/cgi-bin>
> Options +ExecCGI -Multiviews
>
> SetHandler perl-script
> PerlOptions +ParseHeaders
> PerlResponseHandler ModPerl::Registry
> </Directory>
>
> </VirtualHost>
>
> The cgi runs without error, opening files under /tmp based on CGI
> parameter inputs. The taint mode flag shows that taint mode is enabled,
> and if $ENV{PATH} is not cleaned, it throws errors. The behavior is the
> same with both PerlTaintCheck On and PerlSwitches -T.
>
> What am I missing? I have production code that is apparently not as
> protected as I would like.
>
> Thanks in advance.
>
> --
> -Nik
>
>